diff options
Diffstat (limited to 'www/dev_guide/safeDelegation.rst')
-rw-r--r-- | www/dev_guide/safeDelegation.rst | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/www/dev_guide/safeDelegation.rst b/www/dev_guide/safeDelegation.rst new file mode 100644 index 0000000..87f3dc1 --- /dev/null +++ b/www/dev_guide/safeDelegation.rst @@ -0,0 +1,40 @@ +Safe Delegation +=============== + +(safeDelegation) + +Safe delegation, as provided by Zope and Allaire's Spectra, is not +implemented in Cheetah. The core aim has been to help developers +and template maintainers get things done, without throwing +unnecessary complications in their way. So you should give write +access to your templates only to those whom you trust. However, +several hooks have been built into Cheetah so that safe delegation +can be implemented at a later date. + +It should be possible to implement safe delegation via a future +configuration Setting {safeDelegationLevel} (0=none, 1=semi-secure, +2-alcatraz). This is not implemented but the steps are listed here +in case somebody wants to try them out and test them. + +Of course, you would also need to benchmark your code and verify it +does not impact performance when safe delegation is off, and +impacts it only modestly when it is on." All necessary changes can +be made at compile time, so there should be no performance impact +when filling the same TO multiple times. + + +#. Only give untrusted developers access to the .tmpl files. + (Verifying what this means. Why can't trusted developers access + them?) + +#. Disable the {#attr} directive and maybe the {#set} directive. + +#. Use Cheetah's directive validation hooks to disallow references + to {self}, etc (e.g. {#if $steal(self.thePrivateVar)} ) + +#. Implement a validator for the $placeholders and use it to + disallow '\_\_' in $placeholders so that tricks like + {$obj.\_\_class\_\_.\_\_dict\_\_} are not possible. + + + |